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On a theorem of Mestre and Schoof 



ON ! par John E. CREMONA et Andrew V. SUTHERLAND 

o 
o 

Resume. Un theoreme bien connu de Mestre et Schoof implique 
que la cardinalite d'une courbe elliptique E definie sur un corps 
| fini Fjj peut etre determinee de maniere univoque en calculant les 

ordres de quelques points sur E et sur sa tordue quadratique, a 
condition que q > 229. Nous etendons ce resultat a tous les corps 
finis avec q > 49, et tous les corps premiers avec q > 29. 

H , 

■ Abstract. A well known theorem of Mestre and Schoof implies 

| that the order of an elliptic curve E over a prime field F<, can be 

uniquely determined by computing the orders of a few points on 
E and its quadratic twist, provided that q > 229. We extend this 
result to all finite fields with q > 49, and all prime fields with 
q > 29. 

m 

Let E be an elliptic curve defined over the finite field F t? with q elements. 
The number of points on E/F^, which we simply denote #E, is known to 
lie in the Hasse interval: 

"Hcf = [<7 + 1-2Vm + 1 + 2V^]- 

Equivalently, the trace of Frobenius t - q + 1 — #E satisfies \t\ < 2 ^Jq. A 
common strategy to compute #E, when q is not too large, relies on the fact 
that the points on E/F^ form an abelian group E(F (? ) of order #E. For any 
P G E(Fg), the integer #E is a multiple of the order of P, and the multiples 
of \P\ that lie in 9i q can be efficiently determined using a baby-steps giant- 
steps search. If there is only one multiple in the interval, it must be #E; if 
not, we may try other P e E(F (? ) in the hope of uniquely determining #E. 
This strategy will eventually succeed if and only if the group exponent 

A(E) = lcm{|P| : P e E(F q )} 

has a unique multiple in '7Y (? . When this condition holds we expect to 
determine #E quite quickly: with just two random points in E(Fq) we 
already succeed with probability greater than 6/n 2 (see {2J Theorem 8.1]). 

Unfortunately, A(E) need not have a unique multiple in 'Hq. However, 
for prime q we have the following theorem of Mestre, as extended by 
Schoof HJ Theorem 3.2]; the result as stated in HI refers to the order of a 
particular point P, but the following is an equivalent statement. 
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Theorem 1 (Mestre-Schoof). Let q > 229 be prime and E an elliptic curve over 
Fg with quadratic twist E'. Either A(E) or A(E') has a unique multiple in "J-( q . 

The quadratic twist E' is an elliptic curve defined over Fg that is isomor- 
phic to E over the quadratic extension F g 2, and is easily derived from E. 
The orders of the groups E(Fg) and E'(Fg) satisfy #E + #E' = 2{q + 1). For 
prime fields with q > 229, Theorem 1 implies that we may determine one 
of #E and #E' by alternately computing the orders of points on E and E' , 
and once we know either #E or #£', we know both. 

Theorem 1 does not hold for q — 229. Since there are counterexamples 
whenever q is a square, it does not hold in general for non-prime finite 
fields either. The argument in the proof of [1 , Theorem 3.2] does not use 
the primality of q, but only that q is both large enough and not a square, so 
that the Hasse bound on t cannot be attained. If q = r 2 is an even power of 
a prime, then there are supersingular elliptic curves E over Fg such that 

E(Fg) = (Z/(r - 1)Z) 2 and E'(F ? ) = (Z/(r + 1)Z) 2 . 

One may easily check that there are at least 5 multiples of r— 1, and at least 3 
multiples of r + 1, in 'TYg; however for r > 7 (q > 49), the only pair that sum 
to 2(^ + 1) are (r—1) 2 and (r + 1) 2 . This resolves the ambiguity in these cases, 
leaving a finite number of small exceptions. For example, when q - 49 
there is more than one pair of multiples of 6 and 8 (respectively) which 
sum to 2(q + 1) = 100, since 100 = 36 + 64 = 60 + 40. 

The preceding observation led to this note, whose purpose is to extend 
Theorem 1 to treat all finite fields (not just prime fields) Fg with q > 49, 
and all prime fields with q > 29. Specifically, we prove the following: 

Theorem 2. Let q £ {3, 4, 5, 7, 9, 11, 16, 17, 23, 25, 29, 49} be a prime power, and 
let E/Fg be an elliptic curve. Then there is a unique integer t with \t\ < 2-Jq such 
that A(E)\(q + 1 - f) and A(E')\(q + l + t). 

Our proof is entirely elementary, relying on just two properties of elliptic 
curves over finite fields: 

(a) #E = q + l-t and #£' = q + 1 + t for some integer t with \t\ <2y/q; 

(b) E(Fg) = Z/«iZ x Z/H2Z with n\ dividing both n-i and q -1. 
Proofs of (a) and (b) may be found in most standard references, includ- 
ing ED- We note that «2 = A(E), and n\ = 1 when E(F ? ) is cyclic. 

Proof of Theorem 2. Let E be an elliptic curve over Fg, and put #E = mM with 
M = A(E), and #E' = nN with N - A(E'). Without loss of generality, we 
assumea = ^+1-#E > 0. Takingf = a shows existence, by (a) and (b) above, 
so we need only prove that t = a is the unique t satisfying the conditions 
stated in the theorem. For any such t we have t = q + 1 mod M and 
t = —(q + 1) mod N; hence t lies in an arithmetic sequence with difference 
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lcm(M,N). We also have |f| <2y/q; thus if lcm(M,N) > Ayfq, then t = a is 
certainly unique. 

We now show that lcm(M / N) <A^Jq implies q < 1024. We start from 
mMnN = (q + l- a)(q + 1 + a) = (q + l) 2 - a 2 > (q + l) 2 - 4q = (q - l) 2 , 
which yields 

(q-1) 2 (q-1) 2 

(1) m« > = — . 

v ! MN gcd(M,N)lcm(M,N) 

Let d = gcd(ra, n). Then d 2 divides mM + nN = 2(q + 1), so d\(q + 1), but also 
d\(q - 1), hence d < 2. This implies 2 lcm(M, N) >2 lcm(m, n) > mn. We also 
have gcd(M,N) < gcd(m,n)gcd(M/m,N/n) < 2gcd(M/m,N/n). Applying 
these inequalities to Q} we obtain 

(2) lcm(M,N) 2 > ' 



4gcd(M/m 7 N/n) 

We now suppose lcm(M,N) < 4 for otherwise the theorem holds. We 
have nN = q + l + a > q, since we assumed a > 0, and N < 4 ^ implies that 
n > yfq/A, so N/n < 16. Applying gcd(M/m,N/n) < N/n < 16 to © yields 

4 > lcm(M, N)>(q- l)/8, 

which implies that the prime power q is at most 1024. 

The cases for q < 1024 are addressed by a program listed in the appendix 
that outputs the values of q, M - A(£), and N = A(E') for which exceptions 
can arise. This yields the set of excluded q and completes the proof. □ 

Application. The proof of Theorem 2 suggests an algorithm to com- 
pute #E, provided that q is small enough for the orders of randomly chosen 
points in E(F ? ) to be easily computed. It suffices to determine integers a 
and m for which the set S = {x : x = a mod m) contains t — q + 1 - #E but 
no f + t with |f'| < 2q. Beginning with m = 1 and a — 0, we compute \P\ 
for random points P in E(F ? ) or E'(Fq), and update a and m to reflect the 
fact that t = q + 1 mod |P| when P £ E(F (? ) / and t = -(q + 1) mod |P| when 
P e E'(F^). The new values of a and m may be determined via the extended 
Euclidean algorithm. When the set S contains a unique t with |f| < 2 -Jq, 
we can conclude that #E — q + 1 - t (and also that #E' = ^ + 1 + t). 

The probabilistic algorithm we have described is a Eas Vegas algorithm, 
that is, its output is always correct and its expected running time is finite. 
The correctness of the algorithm follows from property (a). Theorem 2 
ensures that the algorithm can terminate (provided that q is not in the 
excluded set), and [2, Theorem 8.2] bounds its expected running time. 

An examination of Table 1 reveals that in many cases an ambiguous t' 
could be ruled out if A(E) or A(E') were known. For example, when 
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q = 49, the trace f = -10 yields #E = 60 and #£' = 40, so both A(E) 
and A(E') are divisible by 5 (and are not 6 or 8). If E has trace -10, the 
algorithm above will likely discover this and terminate within a few it- 
erations. But when the trace of E is 14 (and A(E) = 6 and A(E') = 8), 
we can never be completely certain that we have ruled out -10 as a pos- 
sibility. Thus when an unconditional result is required, we must avoid 
q e {3, 4, 5, 7, 9, 11, 16, 17, 23, 25, 29, 49}. 

However, when A(E) and A(E') are known we have the following corol- 
lary, which extends Proposition 4.19 of |3|. 

Corollary 1. Let E/F^ be an elliptic curve. Up to isomorphism, the integers 
A(E) and A(E') uniquely determine the groups E{¥ q ) and E'{¥ q ), provided that 
q £ {5, 7, 9, 11, 17, 23, 29}. In every case, A(E) and A(E') uniquely determine the 
set{E(F q ),E'(F q )}. 

Note that A(E) and #E together determine E(F (? ), by property (b). To 
prove the corollary, apply Theorem 1 with a modified version of the al- 
gorithm in the appendix that also requires (q + 1 — t')/M to divide M and 
(q + 1 + f')/N to divide N. 

As a final remark, we note that all the exceptional cases listed in Tabled] 
can be eliminated if the orders of the 2-torsion and 3-torsion subgroups 
of E(Ffl) are known (these orders may be computed using the division 
polynomials). Alternatively, one can simply enumerate the points on E/F^ 
to determine #E when q < 49. 

Appendix 

For a prime power q, we wish to enumerate all M, N, and t such that: 

(i) M divides q + 1 - t and N divides q + l + t, with < t < 2 ^/q. 

(ii) (q + 1 - t)/M divides M and q-1, and (q + l + t)/N divides N and <j - 1. 

(iii) M divides q + 1 - t' and N divides ^ + 1 + f for some f ^ f with 

Any exception to Theorem [2] must arise from an elliptic curve EfF q with 
A(E) = M, A(E') = N, and #E = q + 1 - t (or from its twist, but the cases 
are symmetric, so we restrict to t > 0). Properties (i) and (ii) follow from 
(a) and (b) above, and (iii) implies that t does not uniquely satisfy the 
requirements of the theorem. 

Algorithm [l] below finds all M, N, and t satisfying (i), (ii), and (iii). For 
q < 1024, exceptional cases are found only for the twelve values of q listed 
in Theorem 2. Not every case output by Algorithm 1 is actually realized by 
an elliptic curve (in fact, all but one of the exceptions fail the condition that 
(q + 1 - t)/M = (q + 1 + t)/N (mod 2)), but for each combination of q and t 
at least one is. An example of each such case is listed in Table [H where we 
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only list cases with t > 0: for the symmetric cases with t < 0, change the 
sign of t and swap M and N. 

Algorithm 1. Given a prime power q, output all quadruples of integers 
(M,N, t, t') satisfying (i), (ii), and (iii) above: 

for all pairs of integers (M, N) with ^-l<M,N<4^do 
for all integers f € [0, 2 yfq] with M\(q + 1 - t) and N\(q + 1 + t) do 
Let m = (q + 1 - t)/M and n = + 1 + f)/N. 
if m\M and m|(<7 - 1) and n\N and n|(<7 - 1) then 
for all integers f € [-2 2 yjq\ do 
if M|(</ + 1-0 and N\(q + l + t') then 

print M,N,t, t'. 
end if 
end for 
end if 
end for 
end for 



q 


M 


N 


f 


E 


f 


3 


2 


2 





2 3 

y = x - x 


-2,2 


4 


1 


3 


4 


y + y = x J + a 


-2,1 


5 


2 


4 


2 


y 2 = x 3 + x 


-2 


7 


2 


6 


4 


y 2 = x 3 - 1 


-2 


7 


4 


4 





y 2 = x 3 + 3x 


-4,4 


9 


2 


4 


6 


y z = x J + crx 


-6,-2,2 


11 


4 


8 


4 


y 2 = x 3 + x + 9 


-4 


11 


6 


6 





y 2 = x 3 + 2x 


-6,6 


16 


3 


5 


8 


y 2 + y = x 3 


-7 


17 


6 


12 


6 


y 2 = x 3 + x + 7 


-6 


23 


8 


16 


8 


y 2 = x 3 + 5x + 15 


-8 


25 


4 


6 


10 


y 2 + y = x 3 + a 7 


-2 


29 


10 


20 


10 


y 2 = x 3 + x 


-10 


49 


6 


8 


14 


9^9 

y = x° + ax 


-10 



Table 1. Exceptional Cases with f > 0. 



The coefficient a denotes a primitive element of F, 
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